Posts

Removing Addresses from an Exchange Server with Powershell

This is probably a rare issue, but something I’ve come across in my work. Occasionally an Exchange Administrator may need to remove an Email address domain (The part of the email address that comes after the @ sign). For instance, you may be in a situation where a portion of the users in an Exchange environment are migrated to a Cloud based email solution. This can be a little tricky because even if you remove the email address domain from your list of Accepted Domains in Exchange, the addresses may remain on users’ mailboxes. In this post, I’ll explain the process of removing email domains from an Exchange Server in the proper order.

Step 1 – Remove Address Policies that Use the Domain

Before you can actually remove an accepted domain from Exchange, you have to make sure there are no Address Policies that assign email addresses to users that utilize that accepted domain. In Exchange 2007 and 2010, you can do this by opening EMC (Exchange Management Console) and navigating to Organization Configuration>Hub Transport. Clicking the Address Policies tab will allow you to view the address policies in place. You should then remove any policies that define addresses based on the Email Address Domain you want to remove.

In Exchange 2013, you would open the Exchange Admin Center and navigate to Mail Flow>Email address policies, then modify or remove any policies that include the offending Email Address Domain.

Step 2 – Remove the Domain from the list of Accepted Domains

This step is pretty self-explanatory. In this situation we just remove the domain from the list of accepted domains on the Exchange server. This will tell the Exchange server not to accept emails destined for that domain. This can be done from the same location in EMC for Exchange 2007/2010, and from the Mail Flow system in Exchange 2013 by clicking on Accepted Domains, and then right clicking on the domain you want to remove. Selecting delete will remove that domain.

Step 3 – Remove Email Addresses

This part can be a little tricky. Removing the email address policies won’t necessarily remove the email addresses that users have from their accounts, and if those addresses remain you could still end up having mail go places you don’t want it to. Resolving this issue requires some work with PowerShell in the Exchange Management Shell (EMS).

After the Email Domain is removed, open EMS and run the following command:

get-mailbox | where {$_.emailaddresses -like “*domain.com*”}

Replace domain.com with whatever domain you’ve removed. This will give you a list of all the users that have one or more email addresses attached to their domain that match the domain you’ve removed. If there are none, you’re done. If there are some mailboxes with the domain attached, you’ll want to run a quick script from my Technet gallery.

It will remove any email addresses that have domain.com. I’m not certain what will happen if one of those is the primary address. You may need to go in and set a new primary after this, but I haven’t tested. If the primary SMTP address is not one of the email addresses removed, then the existing primary SMTP will remain the same.

For that, you would want to modify the address policy to either add the new domain or replace the one you don’t want. Users that don’t have the setting to apply address policy won’t get changed, but you can force those users to apply policy with
get-mailbox | set-mailbox -EmailAddressPolicyEnabled $true

The script is not working for me, i have the addresses removed from address policy, i have accepted domain removed as well but when i run the script, it does not remove the email addresses. I also get an error as well :

I want to relay Scan-to-me emails to myself where my account is in a hosted email after moving from Exchange 2007. The hosted email server I relay to is only accepting email with reply-to addresses on the domain to remove eg, mydomain.com. However my scanner which is synching with AD for email addresses will not have that mydomain.com address if I remove that domain from exchange following the procedure.

Not sure I fully understand the situation you’re dealing with here. If your scanner is pulling email addresses from Active Directory, you should actually be able to go through the users and add the appropriate email addresses to their accounts by putting the email address into the email field in Active Directory Users and Computers. This doesn’t have to match the internal domain, it can be whatever you want or need it to be.

I am relatively new to Exchange administration. But the issue is we have two domains currently mydomain.com and mydomain.local. Each user has both addresses.
eg. me@mydomain.com [default reply-to]me@mydomain.local

I want emails for mydomain.com to be relayed to the Hosted Email system. I followed the procedure to remove mydomain.com from:
1. Accepted domains
2. Default Address Policy
3 Individual Mailbox.

However, when I do this the default reply-to address becomes the next one on the account which in this case is me@mydomain.local and this ripples over automatically to the AD account which is then picked up by Scan-to-me system

Therefore, an email address originating internally will come from @mydomain.local and this will not be accepted by the hosted email server.

I do not fully understand the communication happening between the Exchange 2007 server and the Windows 2008 R2 AD server. I am aware that the email address can be set but I do not know/understand the communication between exchange and AD that allows for the auto update of changes made in Exchange on the AD account. I am not sure if it is related but when a user is deleted in Exchange it deletes it from AD as well.

Okay, I get it. Exchange makes modifications to two Active Directory attributes when you change email settings on accounts. One is the Mail attribute, the other is the Proxy Addresses attribute. AD and Exchange are pretty heavily integrated with one another. If you are using a Hosted Exchange provider, you should uninstall Exchange from your environment, otherwise you’ll run into weird issues like this.

If, for some reason, you can’t do that, you can go into the Active Directory Users and Computers snap-in, go to View, select Advanced Features, then find a user, right click it, select Properties, then go to the Attributes tab. Find Mail in the list, then change that attribute to whatever you need it to be for the scanner to work right.

Generally, contacts should only have two addresses on them, one address that is internal to your organization (which is used to route mail to the contact) and the external email address of the contact.

That said, you should just be able to replace get-mailbox with get-mailcontact and set-mailbox with set-mailcontact.